Comments on: Clickjacking with IFRAME: My solution.

By: puterinter

puterinter — Fri, 03 Apr 2009 15:16:50 +0000

This is such an awesome site! Keep it up!

By: Brad

Brad — Tue, 09 Dec 2008 06:42:17 +0000

Ralph is right – iframe is absolutely necessary to host 3rd party content without risking a cross-site scripting attack.
If you place 3rd party content directly in your frame, it’s javascript can mess with the page elements – basically it can do anything to the page that the user could (and more).

By: Boro

Boro — Wed, 03 Dec 2008 00:38:13 +0000

@Ilídio Martins: That would be in Internet Explorer. Better browsers *do* support z-index properly :)

I’d stick with these two for my ‘because’ reasons:
1) WYSIWYG editors
2) Asynchronous file uploading

By: Dan

Dan — Thu, 20 Nov 2008 05:40:38 +0000

As Fred points out and Tom totally misunderstands, it is not possible to upload files using AJAX, thus requiring old fashioned form submission. To make it look “Web 2.0″ you need to put it inside an iframe so the whole page doesn’t refresh.

In addition, I find an iframe is a useful substitution for a frameset with a hidden frame (say, if I want to have an mp3 play while I browse a site, I need the mp3 somewhere outside the frame the user is browsing in… is this useful? Not really, but fun: http://www.mzzt.net/extreme/forums.facepunchstudios.php

By: Ralph

Ralph — Tue, 18 Nov 2008 14:02:02 +0000

Ilídio Martins, Have you heard of something called same origin policy? I suggest for you to read about it before deciding not to agree with something! So if you have firefox and firebug you can make an iframe vulnerable!! Do you even understand what you are saying?! If you are developing a website that 3rd parties can integrate with yours (facebook is a great example), one of the strong ways to protect yourself from them is to load their contents inside an iframe, thus insuring that their code can not affect your code and open it to XSS and session hijacking and similar attacks… If you inject their code directly into your frame, you are risking that any 3rd party component will be able to inject malicious code and hijack the accounts of your end users! Another way is like facebook does it, require the people who will integrate with their site to use a custom set of tags designed by them, which they will process/analyze into html tags and then inject it into their pages.

By: Ilídio Martins

Ilídio Martins — Tue, 18 Nov 2008 12:05:48 +0000

This hit isn’t very usefull, but iframes is the only object that keeps in front, in layers, of a SELECT box with options.

By: Ilídio Martins

Ilídio Martins — Tue, 18 Nov 2008 11:27:28 +0000

I definitely don’t agree with Ralph, on this one. Because isn’t a iframe, that you’ll make your code secure. You can’t inject trough a iframe???? I think it can be done… Just use Firebug & Firefox.

And Fred was right. Ajax file upload can be achieved only via iFrames (like when you’re in gmail or hotmail and need to upload a file to send in a email).

Cups

By: Don

Don — Tue, 18 Nov 2008 11:03:18 +0000

Unfortunately, the level of implementation of XMLHttpRequest differs from browser to browser. While other browsers have the object, they don’t provide anything like the functionality of MSXML.

For example, the XML object in Firefox isn’t created until the entire request is completed so you can’t stream events into that web browser using XHR. This matters if you’re streaming events to browsers without going around the HTTP request/response cycle. To get this level of performance in Firefox, you need to pull off a trick like receiving the event stream as an HTML document full of elements.

The W3C is working on an XHR standard that allows streaming in both directions but that’s in the future.

By: Moe Sweet

Moe Sweet — Tue, 18 Nov 2008 10:55:24 +0000

This one is very rare.

I use SVG and VML which are vector graphics for browsers. These files work on .svg / .vml extension and definitely need different DOCTYPES than HTML.

You cannot mix it with other HTML codes and JS codes within the same frame.
You cannot call it via AJAX which would also make them mixed.

That’s why we, I, need iFrames though I don’t like them.

And Fred was right. Ajax file upload can be achieved only via iFrames.

Cheers

By: Ralph

Ralph — Tue, 18 Nov 2008 09:32:49 +0000

You can not do without an iframe. What happens if you get your html code using XMLHttpRequest and Inject it in your page and someone clicks on a link, or activates some javascript code that will run within your page? What about Security when you get contents from another Website and put it in an Iframe, if you inject it in your page, you are doomed, you lost a level of security that the browser gives you that protects sites from different domains from interacting with each other. What about creating a website that interacts old asp code and new asp.net code where by you need to include the old asp code in an iframe to run there (this is a project of a Network Operation Center which I was assigned to do lately where you have an already done control panel by the vender which is classic asp, but we needed to augment it with new features)… Are these enough for you to start with :) You can not let go of the iframe. Mind you also that XMLHttpRequest can not do cross site requests, while an iframe (given some prerequisites) can do that on subdomains. The web is not ready to live without the Iframe :)

By: Henry

Henry — Tue, 18 Nov 2008 07:48:35 +0000

One might want to develop a website that works with Javascript disabled.

By: Ross Presser

Ross Presser — Tue, 18 Nov 2008 03:23:59 +0000

From Wikipedia’s IFRAME article:

More recently, Mozilla Firefox, Opera and Microsoft Internet Explorer introduced contentEditable and designMode, which enables users to edit the contents of the HTML contained in an IFrame. This feature has been used to develop rich text (WYSIWYG) editors within an IFrame element like FCKeditor or TinyMCE. Popular web applications which make use of this feature include Google Docs & Spreadsheets (formerly Writely), JotSpot Live, and Windows Live Hotmail, to name a few.

Disabling FCKeditor would make many, many website owners very unhappy indeed.

By: Jon

Jon — Tue, 18 Nov 2008 03:02:31 +0000

LOL wait no i like my ipod…

By: Tom

Tom — Tue, 18 Nov 2008 00:38:38 +0000

/face palm
Oh dear god… iframes are NOT web 2.0… Ajax pretty much started the 2.0 craze.
KILL THE IFRAME

(iFrame..? iPod.. Apple? KILL APPLE)

By: Matt

Matt — Mon, 17 Nov 2008 19:15:01 +0000

Fred, don’t worry – it was perfect. I wouldn’t have know if you hadn’t had said! :o)

By: Ilia Jerebtsov

Ilia Jerebtsov — Mon, 17 Nov 2008 17:05:48 +0000

My favorite use is making sure that ads and certain javascripts don’t block the page rendering while they load. There’s nothing more annoying than having to wait for a lagged out ad server.

They’re also used nowadays to add back-forward navigation in AJAX pages.

Ultimately they’re just an easy way to load offsite content asynchronously, that works without any Javascript fuss.

By: Fred

Fred — Mon, 17 Nov 2008 16:51:29 +0000

Hello,

If I remember well, iFrame is the only way to provide a fancy “Web 2.0″ feature: inline file uploading form, which is used in GMail for instance.

I hope my english is not too bad… (I’m French)

Regards.